The publication was initially developed (early 2000) by the SANS Institute. Eventually, ownership was transferred to Center for Internet Security (CIS) in 2015. The CIS Controls are created by experts across numerous government agencies and industry leaders to be industry-agnostic and universally applicable.
CIS is a mature and open standard for performing vulnerability assessments and an excellent start for proactively increasing the security posture.
CIS provides a phased approach to implement the 20 Controls, which consist of the following steps:
- Make a formal, conscious top-level decision to make the CIS Controls part of the organization’s standard for defense. Senior management and the Board of Directors should be on board for support and accountability.
- Assign a program manager who will be empowered and responsible for the implementation of the CIS Controls.
- Decide who will be responsible for the long-term sustainability of maintaining cyber defenses.
- Start with a gap analysis, assessment or audit of the current organization’s state against the CIS Controls and develop an implementation plan scheduled with priority focus on the first five Controls.
- Document the long-term plan (3-5 years) for implementing cyber defenses that are not already a part of the entity’s defensive strategy.
- Embed the definitions or goals of the CIS Controls into the organization’s documented security policies to streamline their implementation.
- Ensure that internal and external auditors use the CIS Controls as a part of their benchmark for assessing the organization’s security stance.
- Educate workforce members on the organization’s security goals and enlist their help as a part of the long-term defense of the organization’s data.